2FA Codes + Backups

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

CredulousDane

Well-known member
Sep 26, 2020
62
6
Hi, I'm simply searching for tips to how to save all these QR codes as well as backup strings that usually follow every new 2FA setup.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) but I'm thinking about taking a whole day out of the calendar and fix this once and for all. Keep QR codes for everything + backup stings - but what do I do next?

How do you do it? Do you have it several locations or how?
 
Hi, I'm simply searching for tips to how to save all these QR codes as well as backup strings that usually follow every new 2FA setup.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) but I'm thinking about taking a whole day out of the calendar and fix this once and for all. Keep QR codes for everything + backup stings - but what do I do next?

How do you do it? Do you have it several locations or how?
@Steve prints them out and keeps them in a folder.
 
  • Like
Reactions: CredulousDane
A good password manager like Bitwarden or 1Password let's you save the 2FA credential with the user name and password. I do this with Bitwarden and only need to protect this single account with a third-party authenticator. I use Authy, which allows backing up to multiple devices, or you can print the QR code if you like.

Some may argue that saving the 2FA credential along with the user name and password defeats the purpose. I'd like to hear those arguments.
 
Well there's an additional complication. Any good site will ALSO require you to backup like 10 one-time login codes in case you should lose your 2FA ability. (You would use one of them to log in and change the 2FA or disable it, as appropriate.)

Right now I store the text version of the 2FA string (which would be a pain if I had to re-enroll) into my "system" (basically my Password Manager's notes field for the site) along with the 10 one-time login codes. This means if my Password Manager ever gets hosed, so does everything, but well, you gotta put some faith somewhere, right? Upon my passing, I want to be able to hand off my Password Manager as the one thing someone needs to know.
 
  • Like
Reactions: CredulousDane
For starters, things will become clearer once you realize the key string is the only part of the QR code that is critical or of any importance.

Read one of your QR codes in any smartphone QR app, and it will reveal the QR code is nothing more than a few plain-text strings. The key string is one of those fields, and is the only field that is used to generate those 6-digit numeric codes an authenticator displays when you use it. There may be a couple other fields, but they are merely for the user's convenience, such as a "name" field to help the user differentiate one TOTP token from another. You can add, remove, or edit those extra fields -- which I regularly do -- and they won't affect the calculation of those 6-digit codes, since authenticators just ignore them anyway.

There is nothing else unique about the QR code.

Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) [...] How do you do it? Do you have it several locations or how?

The key string is the only thing critical to backup. If you save the QR code, you're de facto saving the key string because that's what is embedded in the QR code, so it's effectively the same thing as saving the key string in a text file. You can extract the key string from the QR code, and you can generate a new QR code from the text string, so I don't think one way is inherently any better than the other.

That said, for convenience I do both. I take screen shots of the QR codes and drop them in a small Veracrypt container, and also save copies of the text string. (Your USB stick is effectively the same thing as my Veracrypt.) QR screenshots are convenient when I need to set up the TOTP token on a different smartphone -- just pull up the picture on the computer and point the smartphone camera at the screen.

I also copy the alphanumeric key string and put it in the Notes field of my password manager (I use Bitwarden). The text version is useful for cut-and-paste setup of the token on authenticators that can't read QR codes, such as on a desktop computer.

Of course, you can save backups in any password manager of your choice, so Bitwarden isn't unique there. As an aside, though, I'll mention that the paid version of Bitwarden activates the TOTP function within the Bitwarden app or extension, so besides just holding a backup of the string you can also use Bitwarden in lieu of other authenticators to generate a 6-digit code whenever you need it.

Like your passwords, just follow the same best practices for backing up those TOTP key strings. Maintain multiple copies, on multiple media, in multiple locations, and use the same techniques you're already familiar with (good passwords, yada, yada) to secure those copies.

FWIW, my webpage, "Understanding Two-Factor Authentication", has some other helpful tips.
 
  • Like
Reactions: CredulousDane
I'm not saying this is a great idea. Just an idea. But, when I set up a new 2FA site or service, I store the QR code in the authentication apps on my phone, tablet, and one or two PC's. In the case of the tablet or phone, the QR Droid software keeps a history (optional) of all QR codes scanned. So, I could pull up a picture of the QR codes from that history. I keep the recover codes that @PHolder mentioned in a notes field along with the LastPass login data for the website.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: CredulousDane
I simply have an encrypted VeraCrypt container and keep the QR and/ or it's text sting in files inside the container. Each file is named with whatever site the credential(s) are for. That way I can keep the encrypted container in multiple places safely.
 
  • Like
Reactions: CredulousDane
Alright... I've got my 2FA folder in 4 locations now - 3 encrypted USBs and 1 small encrypted partition - and one of the USBs is at a friend's house.

The password for the encrypted devices is of course available, not right next to them but it can be found. For me, the encryption is merely in case I should lose the device or its life should come to an end. I have experienced USBs becoming copy protected / read only / corrupted. Would not be cool with my 2FAs on it ;) (but of course it would then just have to feel the head of a hammer)

In the last SN episode Leo talks about an authenticator called 2FAS, I think, and I'm thinking of switching to that - seems it could be a better choice than Google's.
 
Exactly, the encryption is in case of a lost device. I carry USB drives with encrypted stuff on them as an 'off site backup'. I've often said if I were to loose it I am not concerned that it's content would be decrypted, but more so that I would have to buy a replacement device. I as I am sure many others have had the same issue with a USB device going bad in one way or another, hence the multiple copies and places. I think pretty much everyone who listens to SN does that.